OpenClaw Flomo Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Flomo integration, but it can read private memos and create new ones using the Flomo login already present on the Mac.

Install only if you trust this skill with your private Flomo notes and the Flomo session on your Mac. Review memo write and verify commands before running them, avoid pointing FLOMO_API_BASE or webhook settings at non-Flomo destinations, and do not share your Flomo config or access token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill invokes Python scripts that use environment access, file reads, network access, and shell execution, but it declares no permissions or trust boundaries. This is dangerous because users and orchestrators cannot accurately assess what sensitive resources the skill may touch, including local flomo auth state, logs, and remote APIs, which increases the chance of overbroad or unintended access.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior understates the actual capability of the skill: it can access authenticated remote memo data, recover webhook URLs, read local tokens and renderer logs, generate signed API requests, and perform verification flows that may write data. In this context, the mismatch is especially dangerous because a note-taking skill handles private personal content and hidden authentication material, so users may authorize it expecting simple local cache access while it actually has much broader account-level reach.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill reads local flomo configuration to obtain bearer tokens and app metadata, then uses them to call undocumented/private APIs. This expands the skill from memo handling into credential harvesting and authenticated account access, which is highly sensitive because it enables access to all account data without explicit user consent at execution time.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code includes logic to scrape bearer tokens from renderer logs, which is credential extraction from a sensitive local artifact unrelated to normal memo CRUD behavior. Log scraping is especially dangerous because logs may contain reusable authentication material not expected to be consumed by third-party tools.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill advertises local cache search and memo write support, but also performs authenticated remote API reads against account data. This mismatch matters because users and calling agents may not expect account-wide remote enumeration, increasing the risk of overcollection and privacy violations.

Description-Behavior Mismatch

Low

Confidence: 78% confidence
Finding: This feature enumerates and summarizes tags across remote memos, which is broader metadata extraction than the stated skill purpose. Even if lower impact than full memo exfiltration, tag summaries can reveal sensitive topics, projects, or personal categories in aggregate.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The tool silently reads a sensitive access token from environment or local config and uses it for API requests without user-facing disclosure. Secret use without clear notice or consent is risky because it can lead to unexpected authenticated access and makes misuse harder for users to detect.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Extracting bearer tokens from renderer logs without explicit warning is a sensitive secret-harvesting behavior. Because those tokens can authorize remote API access, compromise or misuse can directly expose private memo content and account metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal